PwnKit bug endangers Linux distributions worldwide

A newly reported memory corruption vulnerability in a SUID-root program installed by default on every major Linux distribution worldwide can be easily exploited to give an unauthorised user full root privileges on a vulnerable host.

The bug, tracked as CVE-2021-4034 and named PwnKit, was uncovered by Qualys researchers towards the end of 2021, but has apparently been hiding “in plain sight” since May 2009.

It exists in polkit’s (previously known as PolicyKit) pkexec, a component used to control system-wide operating privileges in Unix-like operating systems. Used legitimately, this component serves to enable non-privileged processes to communicate with privileged ones, and also enables a user to execute commands with elevated privileges if they have root permission.

In a formal disclosure notice, Bharat Jogi, director of vulnerability and threat research at Qualys, wrote: “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit and obtain full root privileges on default installations of Ubuntu, Debian, Fedora and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.

“As soon as our research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and has coordinated with both vendor and open source distributions to announce the vulnerability.”

According to Red Hat, the vulnerability hinges on the fact that pkexec does not handle the calling parameters count correctly and ends up trying to execute environment variables as commands. A malicious actor can exploit this by crafting environment variables to force pkexec to execute arbitrary code and escalate their privileges.

PwnKit is considered exceptionally dangerous because of the widespread nature of pkexec, and its relative ease of exploitation, so for this reason, Qualys has chosen not to publish technical details of the exploit.

Patches for PwnKit are already dropping – Red Hat and Ubuntu users can find out more here and here, respectively – and polkit’s writers have made a patch available on GitHub, but Jogi warned that the vulnerability is likely to be exploited by malicious actors imminently. Without these patches, users can mitigate against PwnKit by removing the SUID-bit from pkexec as detailed by Qualys.

Qualys customers may, incidentally, already use the firm’s VMDR vulnerability management tool to scan for at-risk assets, while users of its extended detection and response service can also scan for post-exploitation activity on their systems.